#!/bin/bash
#
# 检查 SSL 证书状态
# 作者: 知汛项目组
# 最后更新: 2024-11-07

# 颜色定义
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
RED='\033[0;31m'
NC='\033[0m'

# 默认配置
DOMAIN="ws.waterism.tech"
PORT="8444"
VERBOSE=false

# 显示帮助
show_help() {
    cat << EOF
用法: $0 [选项]

检查 SSL 证书状态和有效期

选项:
    --domain DOMAIN    域名（默认: ws.waterism.tech）
    --port PORT        端口（默认: 8444）
    --verbose          显示详细信息
    --help             显示此帮助信息

示例:
    # 检查前端证书（8444）
    bash $0

    # 检查CDN证书（6443）
    bash $0 --port 6443

    # 详细输出
    bash $0 --verbose
EOF
}

# 解析参数
while [[ $# -gt 0 ]]; do
    case $1 in
        --domain)
            DOMAIN="$2"
            shift 2
            ;;
        --port)
            PORT="$2"
            shift 2
            ;;
        --verbose)
            VERBOSE=true
            shift
            ;;
        --help)
            show_help
            exit 0
            ;;
        *)
            echo -e "${RED}未知参数: $1${NC}"
            show_help
            exit 1
            ;;
    esac
done

echo "======================================"
echo "检查 SSL 证书"
echo "======================================"
echo "域名: $DOMAIN"
echo "端口: $PORT"
echo ""

# 检查本地证书文件
echo -e "${YELLOW}[1/3] 检查本地证书文件...${NC}"

CERT_FILE="/etc/letsencrypt/live/$DOMAIN/fullchain.pem"

if [ -f "$CERT_FILE" ]; then
    echo -e "${GREEN}✓ 证书文件存在${NC}"
    
    # 显示证书信息
    echo ""
    echo "证书信息:"
    openssl x509 -in "$CERT_FILE" -noout -subject -issuer -dates
    
    # 计算剩余天数
    EXPIRY_DATE=$(openssl x509 -in "$CERT_FILE" -noout -enddate | cut -d= -f2)
    EXPIRY_EPOCH=$(date -d "$EXPIRY_DATE" +%s 2>/dev/null || date -j -f "%b %d %T %Y %Z" "$EXPIRY_DATE" +%s)
    CURRENT_EPOCH=$(date +%s)
    DAYS_LEFT=$(( ($EXPIRY_EPOCH - $CURRENT_EPOCH) / 86400 ))
    
    echo ""
    echo "证书有效期: $DAYS_LEFT 天"
    
    if [ $DAYS_LEFT -lt 30 ]; then
        echo -e "${RED}警告: 证书将在30天内过期！${NC}"
    elif [ $DAYS_LEFT -lt 60 ]; then
        echo -e "${YELLOW}提示: 证书将在60天内过期${NC}"
    else
        echo -e "${GREEN}证书有效期正常${NC}"
    fi
else
    echo -e "${RED}✗ 证书文件不存在: $CERT_FILE${NC}"
fi

# 检查在线证书
echo ""
echo -e "${YELLOW}[2/3] 检查在线证书...${NC}"

if command -v openssl &> /dev/null; then
    CERT_INFO=$(echo | openssl s_client -connect "$DOMAIN:$PORT" -servername "$DOMAIN" 2>/dev/null | openssl x509 -noout -dates 2>/dev/null)
    
    if [ $? -eq 0 ]; then
        echo -e "${GREEN}✓ HTTPS连接成功${NC}"
        echo "$CERT_INFO"
    else
        echo -e "${RED}✗ 无法连接到 $DOMAIN:$PORT${NC}"
    fi
else
    echo -e "${YELLOW}openssl 未安装，跳过在线检查${NC}"
fi

# 详细信息
if [ "$VERBOSE" = true ]; then
    echo ""
    echo -e "${YELLOW}[3/3] 详细信息...${NC}"
    
    echo ""
    echo "证书链:"
    openssl s_client -connect "$DOMAIN:$PORT" -servername "$DOMAIN" 2>/dev/null | grep -A 20 "Certificate chain"
    
    echo ""
    echo "TLS版本:"
    openssl s_client -connect "$DOMAIN:$PORT" -servername "$DOMAIN" 2>/dev/null | grep "Protocol"
    
    echo ""
    echo "加密套件:"
    openssl s_client -connect "$DOMAIN:$PORT" -servername "$DOMAIN" 2>/dev/null | grep "Cipher"
fi

echo ""
echo -e "${GREEN}✓ 检查完成${NC}"

